IP: PFIR Statement on Recent Internet DoS Attacks

[Dave Farber <farber () cis upenn edu>]

           PFIR Statement on Recent Internet Denial of Service Attacks

                    (http://www.pfir.org/statements/02.09.00)

         PFIR - People For Internet Responsibility - http://www.pfir.org

2/9/00

Greetings.  The recent rash of "Denial of Service" (DoS) attacks on major
Internet sites such as Yahoo!, E-Bay, CNN, and others, has caused outcries
of surprise and consternation in many quarters, and has become the lead
story for many newscasts.  But these attacks come as no surprise to many of
us, who have long predicted that these sorts of events would come to pass.


It's basically easy to understand.  Imagine a small firm with two phone
lines.  Now have 10,000 people at pay phones scattered around the world all
trying to call that company at once, and hanging up as soon as there is an
answer.  Few (if any) customer calls will get through, and finding the
perpetrators will be problematic at best.

A variety of software tools are available for launching effectively
anonymous DoS attacks on the Internet, which in many cases may involve
otherwise innocent computers "hijacked" for this purpose.  While some of
the simpler attack methods may be repelled to a degree by "filtering" to
block some of the offending data, the fundamental structure of the existing
Internet makes complete solutions essentially impossible.  We can expect to
see a rapid evolution in the sophistication of such attacks and their
relative invulnerability to quick eradication.  There will not be simple
answers of any lasting value.

There are a number of very important lessons to be learned from these
events.  It seems apparent that the rush to move all manner of important or
even critical commercial, medical, government, and other applications onto
the Internet and Web has far outstripped the underlying reality of the
existing Internet infrastructure.

Compared with the overall robustness of the U.S. telephone system, the
Internet is a second-class citizen when it comes to these kinds of
vulnerabilities.  Nor will simply throwing money at the Internet
necessarily do much good in this regard.  More bandwidth, additional
servers, and faster routers--they'd still be open to sophisticated (and
even not so sophisticated) attacks which could be triggered from one PC
anywhere in the world.

In the long run, major alterations will be needed in the fundamental
structure of the Internet to even begin to get a handle on these sorts of
problems, and a practical path to that goal still remains fuzzy at this
time.

For now, it might be advisable for everyone to remember that the Internet,
for all its wonders, is in many ways very fragile.  We must not allow
ourselves to get into a position where being cut off from a site for a few
hours--or even longer--puts people or property at risk.  Our lives should
not revolve around guaranteed 24/7 access to E-Bay, or Yahoo!, or *any*
site on the public Internet, regardless of its importance.  The need for
alternative access methods for critical systems, and the potential
recklessness of eliminating older systems in exchange for 100% Internet
dependence, cannot be overstated.

The current attacks are sure to be but the beginning.  Many even more
attractive targets are likely to be appearing that will draw ever more
sophisticated fire.  Imagine what a concerted denial of service attack
might do to an election with Internet/Web-based voting--a technology being
pushed on a fast track in many quarters.

It's time to get past the "dot com" hype and to start considering carefully
the realities, and limits, of the technology on which we're trying to base
so much, so very fast.  If we continue to plow ahead without heeding these
lessons, it will be at our extreme peril.

--Lauren--
lauren () vortex com
Lauren Weinstein
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy